runtimebroker.exe

RuntimeBroker.exe arrived in Windows 8 together with Store apps. Those apps run inside a sandbox (an AppContainer) with very limited rights, so they can't reach sensitive resources on their own. Runtime Broker runs outside the sandbox at normal user privilege and acts as the middleman: when an app asks for the camera, the user's contacts, or a file outside its container, the broker confirms the app declared that capability and the user allowed it, then provides the access. The sensitive work stays out of the sandboxed app's hands.

Instances are started on demand by svchost.exe (the DcomLaunch service host) whenever a Store app launches, so its parent is always that svchost.exe. It runs as the logged-in user from C:\Windows\System32\RuntimeBroker.exe, and several instances at once are normal, since modern Windows gives each app its own broker. They come and go with the apps they serve, which also means Runtime Broker is a normal sight on any Windows 10 or 11 machine and its absence is normal too when no Store apps are running.

The genuine RuntimeBroker.exe is a trusted, signed Microsoft system file. It mostly sits idle, waking briefly when an app starts or requests something.

RuntimeBroker.exe is one of those names that's present on every Windows 10 and 11 machine, usually several times over, so one more instance draws no attention. That makes it a popular disguise (T1036.005). The real file lives only in C:\Windows\System32 and is signed by Microsoft, so a copy running from a user profile, a temp folder, or anywhere else is suspect.

Its ubiquity also makes it a favorite hiding spot for attack frameworks. C2 tools commonly inject into a running Runtime Broker or spawn a sacrificial copy to host their payload (T1055), precisely because the name blends in. The giveaway is behavior: the real broker spawns no children and rarely touches the network, so an instance opening outbound connections or starting a shell is worth pulling apart.

The parent relationship is a quick check. Windows only ever starts Runtime Broker through the DcomLaunch svchost.exe, so an instance whose parent is an Office app, a browser, or anything else was not started by Windows (T1134.004).